hi Alon, Thanks for your reply.
On Nov 10, 2011, at 10:42 AM, Alon Bar-Lev wrote: > Your whole concept is totally wrong. > If you switch to hardware cryptography, and utilize its advantages, > you do not have direct access to the private key. > This what makes hardware cryptography better than software only solutions. > > OpenSSL is fully compatible with this approach, having RSA object that > can be used for crypto operation without actually having the private > key. This is done via the concept of "engine" which delegate the > crypto calls to the hardware device. Should I installed the "engine_pkcs11" to get the nss softoken work? > > Try to perform private key operation using the RSA object and see that it > works. Do you mean that I should use RSA_sign instead of X509_sign? Best Regards, Weizhong > > Alon. > > On Thu, Nov 10, 2011 at 10:02 AM, weizhong qiang > <weizhongqi...@gmail.com> wrote: >> hi Alon, >> >> On Nov 10, 2011, at 8:24 AM, Alon Bar-Lev wrote: >> >> Hello, >> >> You can't. >> pkcs11-helper targets developers who want to use smartcards without >> overhead of the actual card management. >> Well behaved smartcards should not allow export of private key. >> >> But it seems the pk12util can accomplish this task. >> https://developer.mozilla.org/en/NSS_reference/NSS_tools_:_pk12util >> >> Why do you need the private key anyway? >> >> My current code (based on openssl) is for grid computing usage. We use >> file-based EEC credential (cert.pem, key.pem) to generate a proxy >> certificate, and then use the proxy certificate to communicate with peer >> ends. >> Now we need to switch to pkcs11 to utilize pkcs11 for the storage of EEC >> credential, instead of the file-based storage, because pkcs11 provides more >> level of security. >> Why I need to retrieve private key is I need the X509 and private key for >> generating the proxy certificate. >> I see some piece of code here: >> http://codesearch.google.com/#RnTPnPMDu28/staticopenvpn/openvpn/pkcs11.c&ct=rc&cd=1&q=SSL_CTX_use_pkcs11&exact_package=git://github.com/spokn/lib.git&l=606 >> /**********/ >> >> if ((rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL) { >> msg (M_WARN, "PKCS#11: Unable get rsa object"); >> goto cleanup; >> } >> >> if ((x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == >> NULL) { >> msg (M_WARN, "PKCS#11: Unable get certificate object"); >> goto cleanup; >> } >> >> if (!SSL_CTX_use_RSAPrivateKey (ssl_ctx, rsa)) { >> msg (M_WARN, "PKCS#11: Cannot set private key for openssl"); >> goto cleanup; >> } >> >> if (!SSL_CTX_use_certificate (ssl_ctx, x509)) { >> msg (M_WARN, "PKCS#11: Cannot set certificate for openssl"); >> goto cleanup; >> } >> ******/ >> From the above code, I concluded that it is possible to retrieve the private >> key. Maybe this piece of code will not work. >> Thanks for your kind help. >> Best Regards, >> Weizhong Qiang >> >> >> Alon. >> >> On Thu, Nov 10, 2011 at 3:27 AM, weizhong qiang <weizhongqi...@gmail.com> >> wrote: >> >> hi all, >> >> I tried to use pkcs11-helper api to retrieve X509 and private key from nss >> softtoken, wit the 1.09 version of pkcs11-helper. >> >> I can get X509 object, but the returned RSA object only includes public key, >> rather than private key. >> >> I paste the code as the following. >> >> Could anyone give me some hint about how to get private key? >> >> Thanks a lot, >> >> Weizhong Qiang >> >> >> >> pkcs11h_certificate_id_list_t issuers; >> >> pkcs11h_certificate_id_list_t certs; >> >> pkcs11h_certificate_id_t find = NULL; >> >> CK_RV rv = >> pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE, NULL, >> >> PKCS11H_PROMPT_MASK_ALLOW_ALL, &issuers, &certs); >> >> if(rv != CKR_OK || certs == NULL) { >> >> PKCS11UtilLogger.msg(ERROR, "Cannot enumerate certificates: %s", >> pkcs11h_getMessage(rv)); >> >> return false; >> >> } >> >> PKCS11UtilLogger.msg(INFO, "Succeed to enumerate certificate"); >> >> int i = 0; >> >> for(pkcs11h_certificate_id_list_t cert = certs; cert != NULL; cert = >> cert->next) { >> >> std::string label=cert->certificate_id->displayName; >> >> i++; >> >> PKCS11UtilLogger.msg(INFO, "The name of the %d certficate is %s \n", i, >> label.c_str()); >> >> if(certname == label) { >> >> pkcs11h_certificate_duplicateCertificateId(&find, >> cert->certificate_id); >> >> //TODO: probably it is need to deal with the case that multiple >> certificate with the same name exists. >> >> break; >> >> } >> >> } >> >> pkcs11h_certificate_freeCertificateIdList(issuers); >> >> pkcs11h_certificate_freeCertificateIdList(certs); >> >> if(find == NULL) { >> >> PKCS11UtilLogger.msg(ERROR, "Could not find certificate with the name >> %s", certname.c_str()); >> >> return false; >> >> } >> >> pkcs11h_certificate_t certificate; >> >> rv = pkcs11h_certificate_create(find, NULL, >> PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, &certificate); >> >> if(rv != CKR_OK) { >> >> PKCS11UtilLogger.msg(ERROR, "Can not read certificate: %s", >> pkcs11h_getMessage(rv)); >> >> pkcs11h_certificate_freeCertificateId(find); >> >> return false; >> >> } >> >> pkcs11h_certificate_freeCertificateId(find); >> >> pkcs11h_openssl_session_t openssl_session = NULL; >> >> if((openssl_session = pkcs11h_openssl_createSession(certificate)) == >> NULL) { >> >> PKCS11UtilLogger.msg(ERROR, "Cannot initialize openssl session to >> retrieve X509 and RSA"); >> >> pkcs11h_certificate_freeCertificate(certificate); >> >> } >> >> certificate = NULL; // the certificate object will be released by >> openssl_session >> >> bool ret; >> >> X509* x509_local; >> >> RSA* rsa_local; >> >> x509_local = pkcs11h_openssl_session_getX509(openssl_session); >> >> if(!x509_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get X509 object"); >> ret = false; } >> >> rsa_local = pkcs11h_openssl_session_getRSA (openssl_session); >> >> if(!rsa_local) { PKCS11UtilLogger.msg(ERROR, "Cannot get RSA object"); >> ret = false; } >> >> ret = true; >> >> PKCS11UtilLogger.msg(INFO, "Succeed to get X509 and RSA"); >> >> *x509 = x509_local; >> >> *rsa = rsa_local; >> >> pkcs11h_openssl_freeSession (openssl_session); >> >> return ret; >> >> >> _______________________________________________ >> >> opensc-devel mailing list >> >> opensc-devel@lists.opensc-project.org >> >> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> >> >> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
